Back in 2009 hackers broke into Coca-Cola’s computer systems and stole sensitive files related to its pending $2.4 billion acquisition of China Huiyuan Juice Group. Using social engineering and a malicious link in an email sent to a top executive, hackers were able to install malware, giving them full access to the executive’s computer. They also installed a keylogger which captured everything the executive typed. Unfortunately Coca-Cola only learned of the breach when they were contacted by the FBI, almost two weeks after the breach occurred. Ultimately the deal fell through and Coca-Cola was unable to acquire the Chinese company, and it is unclear whether the security breach had anything to do with the failure of the deal. More startling than the fact that Coca-Cola had its systems hacked, and potentially lost a $2.4 billion deal because of it, is that its top executive chose not to disclose the hack to their investors, claiming that there was no proof that the hack resulted in a material loss. The SEC only requires companies to disclose material losses from cyber-attacks and any information “a reasonable investor would consider important to an investment decision.” Coca-Cola, and many other companies who experience cyber-attacks, regularly choose not to disclose the incidents to investors, claiming that there is no proof that material losses occurred because of the attack. The question of whether material losses occurred or not, or whether they might occur in the future, due to a cyber-attack is often unclear and left up to the discretion of management, who historically has chosen not to disclose the information unless forced.
Analysis
While it is often hard, if not impossible, to stop a seasoned, determined hacker from infiltrating a company’s computer systems, the incident at Coca-Cola occurred because of social engineering. The hackers sent an email to a top executive and made it appear as if it came from another top executive regarding a well-known internal corporate initiative. The email contained a link to a website, which when clicked on, installed malware on the executive’s computer, ultimately giving the hackers access to Coca-Cola’s entire computer network. Social engineering attacks are difficult to prevent since they rely on human weakness more than network vulnerability, however since this particular incident occurred because an executive clicked on a link in an email it might be possible to setup an email scanning system that either scans for malicious links or simply deletes all external links in emails coming from outside sources. Coca-Cola could then also modify its IT policy to include no emailing of links. If attachments are made instead of links it should be easier for antivirus software to scan the attachments.
Coke Gets Hacked And Doesn't Tell Anyone
Executive Summary
Back in 2009 hackers broke into Coca-Cola’s computer systems and stole sensitive files related to its pending $2.4 billion acquisition of China Huiyuan Juice Group. Using social engineering and a malicious link in an email sent to a top executive, hackers were able to install malware, giving them full access to the executive’s computer. They also installed a keylogger which captured everything the executive typed. Unfortunately Coca-Cola only learned of the breach when they were contacted by the FBI, almost two weeks after the breach occurred. Ultimately the deal fell through and Coca-Cola was unable to acquire the Chinese company, and it is unclear whether the security breach had anything to do with the failure of the deal. More startling than the fact that Coca-Cola had its systems hacked, and potentially lost a $2.4 billion deal because of it, is that its top executive chose not to disclose the hack to their investors, claiming that there was no proof that the hack resulted in a material loss. The SEC only requires companies to disclose material losses from cyber-attacks and any information “a reasonable investor would consider important to an investment decision.” Coca-Cola, and many other companies who experience cyber-attacks, regularly choose not to disclose the incidents to investors, claiming that there is no proof that material losses occurred because of the attack. The question of whether material losses occurred or not, or whether they might occur in the future, due to a cyber-attack is often unclear and left up to the discretion of management, who historically has chosen not to disclose the information unless forced.
Analysis
While it is often hard, if not impossible, to stop a seasoned, determined hacker from infiltrating a company’s computer systems, the incident at Coca-Cola occurred because of social engineering. The hackers sent an email to a top executive and made it appear as if it came from another top executive regarding a well-known internal corporate initiative. The email contained a link to a website, which when clicked on, installed malware on the executive’s computer, ultimately giving the hackers access to Coca-Cola’s entire computer network. Social engineering attacks are difficult to prevent since they rely on human weakness more than network vulnerability, however since this particular incident occurred because an executive clicked on a link in an email it might be possible to setup an email scanning system that either scans for malicious links or simply deletes all external links in emails coming from outside sources. Coca-Cola could then also modify its IT policy to include no emailing of links. If attachments are made instead of links it should be easier for antivirus software to scan the attachments.